Gotta side with MS on this one. The point of going public in the past was to force companies to acknowledge the holes in their products and patch them. These days it seems MS at least are very actively trying to plug any holes spotted, so going public doesn't help matters.

If anything it's like going to the malicious folks out there and saying "Hey MS is about to fix this hole, quick hurry and exploit it before it's too late!"

For security professionals, it's nothing more than complete irresponsibility to post vulnerabilities, much less with exploit code (ed. like above I mean). Most security companies will give you MONTHS to fix the problem before they publish it, and they will keep in contact with you the whole time. 4 days is idiotic.

Gotta be +3 here, one plus for each of the above points by Eóin, Renegade and Stoic Joker.

I'm all for making exploits details + proof-of-concept code public, but only after the software vendor has had a reasonable amount of time to fix the bug. Microsoft have been pretty damn bad in the past, but they've measured up - and are pretty open about security these days.

There is no excuse for publishing this sort of detail when no fix is available.

If there is a temporary work around that should be suggested and a reason but details are pretty unforgivable.

What will happen when someone sues Google for publishing the method by which a company gets attacked? It's a bit like publishing how to make nerve gas and then saying 'not guilty' when terrorists use the recipe!

I can understand it from a security standpoint but the thing is, this is Microsoft.

What their intent now doesn't cover up their years and years of failing to secure things.

This is one of those cases where it looks bad because of the proper tradition of why things are done and should be done.

However in this same token, it's Microsoft. Sure it's unprofessional and dangerous but the reputation of Microsoft on security has already sunk into the culture of computing that Microsoft should just man up and fix this instead of turning this into some PR/media complaint. It's not like they couldn't have thrown and put more focus on a more valid complaint as the article showed:

Reavey also criticized Ormandy for not being thorough in his analysis: “It turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented.”

But why go so far as to excuse and side Microsoft this time? At the very least, stay neutral and cite why it's bad policy but going so far as to say what one should have or shouldn't have done and why one side is correct while ignoring that side's past. Seems like it's that attitude that has allowed the security by obscurity to continue and it's that kind of support that will eventually make it sometimes security by obscurity sometimes we'll disclose it.

Just fix it and move on. You're Microsoft not some development team with a long history of emphasizing utmost security.

Microsoft's bad security days are WAY a thing of the past. In Internet history, it's prehistoric.

Google has shown an utter disregard and disrespect for Windows users with a completely flagrant and irresponsible spit in the face to both Microsoft and all Microsoft customers (which also happen to be Google customers). Google has clearly shown that it is more concerned with hurting its competition than in caring for its customers.

4 days is very, very far from reasonable.

The reality of security is that Windows is more secure than most other operating systems by a very wide margin. Literally. (You can't stop idiots from getting hacked no matter what platform, so that's really not a valid complaint about Windows.)

As for Microsoft's security history, a look at the last few years shows that they are among the best in the industry.

As for this being Microsoft or anyone else -- that's largely irrelevant. The fact is that Google disclosed a security vulnerability without allowing the product vendor the opportunity to fix the problem. This is simply inexcusable and unforgivable. It doesn't matter whether it is Microsoft or anyone else. It is standard to give vendors a couple months to get the problem fixed and rolled out, much less disclose the vulnerability WITH EXPLOIT CODE!!!!!

Actually, I need to take something back. It isn't Google spitting in people's faces. That would be irresponsibly disclosing the vulnerability. They disclosed exploit code. No... Google pissed in everyone's face.

Again, that it was Microsoft only shows that Google is more interested in pissing in people's faces to spite its competition than in acting like a responsible, good corporate citizen.

I seriously doubt that this would happen for ACME Software Inc. because they're not any kind of threat or competition for Google.

Problem is, Tavis Ormandy has submitted numerous security bugs and larger issues for years, and in return has waited months and years for patches. Seems like he just got tired of waiting on someone at Microsoft to write better code.

Problem is, Tavis Ormandy has submitted numerous security bugs and larger issues for years, and in return has waited months and years for patches. Seems like he just got tired of waiting on someone at Microsoft to write better code.

Granted and agreed. The "corporation" is basically a license to sin. All the rights and privileges of the state with none of the responsibilities or obligations. Google apparently doesn't understand that "evil corporation" is a pleonasm. (Yes - I am extremely cynical on the topic of corporate agency.)

(Though I'm honestly not so hard on Microsoft ("karma"). I've seen enough of the good that they do and never get credited for. The ONLY press that Microsoft gets is bad press. If Microsoft cured cancer, the press would scream that they didn't cure lukemia. Microsoft simply cannot win. Ever.)

(Though I'm honestly not so hard on Microsoft ("karma"). I've seen enough of the good that they do and never get credited for. The ONLY press that Microsoft gets is bad press. If Microsoft cured cancer, the press would scream that they didn't cure lukemia. Microsoft simply cannot win. Ever.)

Yeah, I understand where I can come off like this but to me, it's not prehistoric. It's just cultural understatement.

Just because Microsoft has improved in such a way that they now please security concerned techies, doesn't somehow mean their reputation has overlapped the in-grained culture their reputation has and to me, these kinds of distractive article of "Oh noes! How dare someone act disillusioned with us and not give us a chance..." counter-reaction just shows to me Microsoft is still mostly playing the PR game.

They could have easily focused on how Google botched up the security fix but instead they sensationalize this whole bad protocol to rile up the techies whom they know would over-react and turn this into a non-security by obscurity issue but instead a Google is bad issue.

Google has shown an utter disregard and disrespect for Windows users with a completely flagrant and irresponsible spit in the face to both Microsoft and all Microsoft customers (which also happen to be Google customers). Google has clearly shown that it is more concerned with hurting its competition than in caring for its customers.

And Microsoft has shown an utter disregard and disrespect for Windows users' security for years in such a way that alot of newbie users developed bad security habits.

This is a case where I'm for Google hurting the competition because even if it's unprofessional, it's a stress test for Microsoft. You've pleased the techies now let's see how you buy back people's trust. How you react to cases like this.

If these type of habits become abused to the point that it endangers Microsoft customers beyond one or two incidents, sure go ahead. Make these kind of comments as a call to action.

But this is a limited incident and the way we're now talking about it: Look! We're no longer talking about the security issue. Microsoft's complaint has now turned this into "Oh...bad bad bad Google...or...oh...MS is right on this one."

Why?!

Proper disclosure of security exploits is there because of security but now even if the "technicality" of why it's wrong is still mentioned, Microsoft has turned this into political mudslinging where the big news is how Google is the evil idol instead of the security issue being at the forefront of the discussion.

4 days is very, very far from reasonable.

The reality of security is that Windows is more secure than most other operating systems by a very wide margin. Literally. (You can't stop idiots from getting hacked no matter what platform, so that's really not a valid complaint about Windows.)

It is a valid complaint because it is a cultural complaint in my opinion.

That's the disconnect though. At the end of the day, this kind of article has done it's job and eventually it's going to be the new type of FUD.

One that passes the buck not necessarily on the issues but one that creates uncertainty in what specific forefront issue needs to be emphasized, discussed and payed attention to.

Still, I'm exaggerating what hasn't happened yet but this is why things like these frustrate me.

Articles written like these are what creates rabid disconnect and prevents non-knowledgeable users to "empathize" and understand why this is a big issue. Meanwhile people with the background and knowledge ends up playing American Idol "who displeases me more on this issue because the right way was done wrong" and true they have a valid point but that point in the long run just reads "I'm siding with Microsoft now" instead of just sticking with the security reason for why it's wrong.

You could almost see it in this thread. Lots of complaints about the reporting but very little acknowledgement of the incomplete analysis and easily circumvented workaround when that is just as much a huge deal if not bigger from a security perspective and a bigger security issue considering who disclosed it.

As for this being Microsoft or anyone else -- that's largely irrelevant. The fact is that Google disclosed a security vulnerability without allowing the product vendor the opportunity to fix the problem. This is simply inexcusable and unforgivable. It doesn't matter whether it is Microsoft or anyone else. It is standard to give vendors a couple months to get the problem fixed and rolled out, much less disclose the vulnerability WITH EXPLOIT CODE!!!!!

Actually, I need to take something back. It isn't Google spitting in people's faces. That would be irresponsibly disclosing the vulnerability. They disclosed exploit code. No... Google pissed in everyone's face.

Again, that it was Microsoft only shows that Google is more interested in pissing in people's faces to spite its competition than in acting like a responsible, good corporate citizen.

I seriously doubt that this would happen for ACME Software Inc. because they're not any kind of threat or competition for Google.

Exactly. But look at your post now.

The details, the points, they're all correct. But instead of security, you're more interested in creating analogies of what Google's actions correlate with other rude actions.

At the end of the day, this is what the article has done and that's why I still side with Google on this. Not because it's Google but it's a long time coming and Microsoft's stance needs to be tested further by such acts.

I'm not saying I want the act or I support the act because at the end of the day, it's still a code exploit but there's also issues extending from that.

...but the main important thing is, this article which was a security issue causes people to react as if it was a political or business issue and it distracts and that's why I'd rather be off-base here if this is how I come off than be satisfied at seeing how things get riled up in the wrong type of sensationalism that has caused issues to be boggled.

If this is confusing, to use politics as an analogy, this is like politicians bringing up a side issue to distract the main issue. It's not that the people suddenly are talking in wrong terms especially the knowledgeable people but the core issue has been turned to a side issue and that's only going to worsen the cultural gap of what the more important issue is eventually whenever similar future incidents gets reported like this.

Google is no exception. In fact, their rhetoric demands we hold them to their word.Microsoft is no exception.Neither is Apple (under FTC investigation this week).

Like it or not, these companies exert vast influence over our tech lives. No, check that: our lives! Whether it's locking out developers, raising prices, insane EULAs, patent stupidity, data liberation, or what have, we just want their products to work without ruining our data, our businesses, and wasting our time and money. But in every real world example, asking that is asking too much from a corporation! ("Corporations" aren't the problem, it's those fools who run them, give themselves hundreds of millions in compensation, and then when things go wrong because they cut corners, they claim: "No one could have known!"

This is a case where I'm for Google hurting the competition because even if it's unprofessional, it's a stress test for Microsoft. You've pleased the techies now let's see how you buy back people's trust. How you react to cases like this.

If this were just Google kicking MS I probably wouldn't care too much myself. But it's not, it's Google putting everyone in danger. And I really mean everyone! Holes like this are how worms spread, how bot-nets grow, and how mal-intentioned individuals can bring whole internet services to their knees, regards of what OS the victims are using. There are no excuses for Google in this one!

As for buying back non-techies trust, well buy is the word, isn't it? Non-techies only believe what they see in ads, Apple has proved that. No amount of actual good deeds or responsible actions really matter these days.

Regardless of anyone's feelings about Microsoft, it's still extremely irresponsible for someone to do what that Google researcher did. Placing a can of gasoline and a book of matches on someone's front porch to make the case their house is at risk of catching fire is not the best way to warn people about flammability.

I'm sorry, but where does this guy get off increasing the risks to everybody using Windows just because he's annoyed Microsoft hasn't responded to his warning in what he considers an acceptable timeframe?

This is a case where I'm for Google hurting the competition because even if it's unprofessional, it's a stress test for Microsoft. You've pleased the techies now let's see how you buy back people's trust. How you react to cases like this.

If this were just Google kicking MS I probably wouldn't care too much myself. But it's not, it's Google putting everyone in danger. And I really mean everyone! Holes like this are how worms spread, how bot-nets grow, and how mal-intentioned individuals can bring whole internet services to their knees, regards of what OS the victims are using. There are no excuses for Google in this one!

As for buying back non-techies trust, well buy is the word, isn't it? Non-techies only believe what they see in ads, Apple has proved that. No amount of actual good deeds or responsible actions really matter these days.

Again, exactly. It's the exploit that needs to be emphasized and how a security engineer can't even picked to disclose a 0-day exploit without first providing a full workaround but instead the focus is how "Google has no excuse."

Who cares if Google has an excuse for kicking MS' butt?

The important issue is the security. Not about lambasting Google. Microsoft had a good opportunity of fixing their image instead they reacted in ways that play a fool of even techies.

...and it's such a disrespect towards both sides and such a disconnect that further destroys the real important issue.

Obviously you're stretching but now look where this article has lead to. Now you're stereotyping non-techies as Apple users and PC ignorants where there are legitimate people who simply don't know the technical depth of the problem but are curious about the real world implication of such act.

Now we're hate-choosing whether Google's actions are comparable to a bomb, a PoS, arson...I mean it's over. This is the damage these types of article does and I know this is just a repeat of what I have said and I apologize for being redundant. I'll stop replying now and I only did so as to emphasize my stance of this topic.

Actually the point repeated here over and over is that MS wasn't given an opportunity, 4 days is not enough. Or are you proposing an alternative approach to MS improving their security image other than by regularly and responsibly patching holes?

All he had to do was share the code for the exploit with any of a dozen well respected security sites like Heise Online or CERN if he wanted to get traction. He did not have to broadband it out on the web. Which leads me to conclude part of his motivation was a distinct desire to create trouble for Microsoft when he did so. That's a move that has more in common with a daily tabloid than a computer professional. You don't deal with security issues by handing out copies of exploit code to anybody who wants it. Even a 14 year old Second Life script-kiddy knows that much.

Maybe I'm less inclined to take a philosophical perspective on the issue because I deal with computer security and malware on a daily basis as part if my job. The really annoying part is that this crap is time consuming and somewhat expensive to deal with whether it's as a preventative measure or as a decontamination issue. And it's a problem nobody needs - including people like me - who at least have the consolation of being able to make money helping get rid of it. I'd be perfectly happy if I never had to deal with cleaning up an infection or exploit for the rest if my life. And my services revenue stream and bottom line be damned! That's how sick I am of this stuff.

It's also important not to forget that malware and exploits are problems because people are writing and deploying them. And while Microsoft (or Apple, AT&T, et al) have some responsibility to their customers to help deal with this problem - they are not the ones who cause the problem. So let's not be too generous in overlooking the faults of the exploiters. The world needs operating systems. It does not need malware or criminal hackers.

So let's stop blaming the victims of these parasites. And that includes Microsoft.

Actually the point repeated here over and over is that MS wasn't given an opportunity, 4 days is not enough. Or are you proposing an alternative approach to MS improving their security image other than by regularly and responsibly patching holes?

Fixing holes ISN'T an opportunity, it's a necessity. Microsoft would be worse if they're slow at fixing security holes but they are not better for doing what everyone expects of them to do in the first place.

If MS wants to truly improve their security image then focus on security and not mudslinging even if the other side is wrong this time. Let the commentors, the public outcriers, the techies...let them provide the "dim views".

If the media insists on a comment, just point it out from a security perspective.

This shouldn't be an "also", this should be what's it all about:

Reavey also criticized Ormandy for not being thorough in his analysis: “It turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented.”

The other issue. The one with the obvious "Oh, doing it like this makes it dangerous for our customer." Take that out or at the very least, it should be the one included as an "also" for why the exploit should have been given ample enough time to fix.

Emphasize the security risk, not that you're butt hurt. In the context of details, sure it's sounds like I'm asking for a PC repairman to talk to me about the broken processor before the burnt out motherboard first but in the context of reducing sensationalism, magnetizing views on your new found focus for security and inciting techies to worry more about the security exploit rather than how wrong your competitor is now, that's the needed approach especially if you have a historical reputation as having poor security but more importantly engaging in FUD and EEE!

The reason my remarks seem out of context (along with the cryptic reference to crusaders) is because I inadvertly posted that comment here when it was supposed to be going to a totally different website.

Why I quoted your line is anybody's guess. I think I started to say something but then got distracted by the discussion going on over in another forum and got confused about where I was.

Gotta stop keeping dozens of tabs open. I'm obviously not that good at it. That or confining myself to one discussion at a time.

I'll leave it here since deleting it would only make your response to it even more confusing to the next reader.

Interesting 40hz how in most of your responses you focus on the reporter himself, as an individual, avoiding the Google focus that everyone else seems to have. That was my first thought too, and in fact Google and the researcher himself both claim it was an independent action:http://www.networkwo...e-can-wash-hands-winNot surprisingly of course, but this doesn't mean it's not true. That article tries to paint the picture that it's Google's responsibility anyway, but provides no evidence for the potential falsehood of the claim, and doesn't make a very compelling argument for why Google should be blamed.

I know I'm probably starting to sound like a Google apologist, but when you have multiple people almost literally screaming for Google's blood in this thread, I don't feel so bad.

To those who think this "can't be forgiven", what exactly does that mean to you? What reaction do you suggest?

The reality of security is that Windows is more secure than most other operating systems by a very wide margin. Literally. (You can't stop idiots from getting hacked no matter what platform, so that's really not a valid complaint about Windows.)

It is a valid complaint because it is a cultural complaint in my opinion.

We're going to have to agree to disagree on that one. I simply cannot see blaming Microsoft because some of its customers are idiots.

To me, it's like blaming Smith & Wesson because some idiot left a loaded gun out for his kid to shoot herself. (There was a recent thread on that one here.) We can't just blame the manufacturer because we're too lazy/stupid/irresponsible.

...You could almost see it in this thread. Lots of complaints about the reporting but very little acknowledgement of the incomplete analysis and easily circumvented workaround when that is just as much a huge deal if not bigger from a security perspective and a bigger security issue considering who disclosed it.

As for this being Microsoft or anyone else -- that's largely irrelevant. The fact is that Google disclosed a security vulnerability without allowing the product vendor the opportunity to fix the problem. This is simply inexcusable and unforgivable. It doesn't matter whether it is Microsoft or anyone else. It is standard to give vendors a couple months to get the problem fixed and rolled out, much less disclose the vulnerability WITH EXPLOIT CODE!!!!!

Actually, I need to take something back. It isn't Google spitting in people's faces. That would be irresponsibly disclosing the vulnerability. They disclosed exploit code. No... Google pissed in everyone's face.

Again, that it was Microsoft only shows that Google is more interested in pissing in people's faces to spite its competition than in acting like a responsible, good corporate citizen.

I seriously doubt that this would happen for ACME Software Inc. because they're not any kind of threat or competition for Google.

Exactly. But look at your post now.

The details, the points, they're all correct. But instead of security, you're more interested in creating analogies of what Google's actions correlate with other rude actions.

At the end of the day, this is what the article has done and that's why I still side with Google on this. Not because it's Google but it's a long time coming and Microsoft's stance needs to be tested further by such acts.

But the disclosure is the worse security issue. I'm not glossing over the security issue. I'm addressing the more serious security issue here. Granted, I'm also pointing out the political side of that as well. But you can't really separate the 2. They are linked. The disclosure has a motivation. They need to be in context.

There always will be bugs and exploits in software, but disclosing them in an irresponsible manner like that is the bigger issue. i.e. That there is a security issue (the Windows vulnerability) is the given. But that's not the central issue. New vulnerabilities are not security issues until they are public or actively being exploited. It's the responsibility of the security professional to disclose to the manufacturer, and not to put it out in the open. In that way, security vulnerabilities do not become issues, which is what we all want. We want the problem fixed before it becomes a problem. This guy made a non-problem into a problem. THAT is the problem here. Not the original Windows vulnerability that was not being exploited prior to his disclosure.

It's one thing to be a weapons manufacturer, but it's another thing to sell weapons to thugs, criminals, and terrorists. Which is effectively what happened here.

As for security, Microsoft (in the past few years) has done a very good job. Most companies do not patch security issues nearly as effectively as Microsoft. It's a business issue. Does the risk that an exploit poses justify the cost of patching the issue? For a lot of software authors, the answer is "no".

Having worked in the industry for some time, I've seen exploits before they've been made public and seen companies basically ignore them because the risk was small or the cost was high. It does no good to go out of business because of security costs.

The timing on this is really too much to ignore -- Google just got rid of Windows because of "security", and now this? Hogwash. It's a deliberate attempt to discredit Microsoft and Windows. There is no "lone gunman" here. That's rubbish. But that's the political side of irresponsible security.